US12579024B1ActiveUtility

Techniques for code intent discovery

60
Assignee: WIZ INCPriority: May 22, 2025Filed: May 22, 2025Granted: Mar 17, 2026
Est. expiryMay 22, 2045(~18.9 yrs left)· nominal 20-yr term from priority
G06F 21/563G06F 11/0793
60
PatentIndex Score
0
Cited by
15
References
19
Claims

Abstract

A system and method for detecting code intent of code objects in a computing environment for assessing cybersecurity risk is presented. The method includes detecting a plurality of code objects in a computing environment; statically analyzing each code object of the plurality of code objects to determine a plurality of potential intents, each potential intent corresponding to an action; generating a cybersecurity signal in the computing environment based on a plurality of event records; detecting in the cybersecurity signal a first event corresponding to a potential intent; determining that the potential intent is a code intent based on the detection; detecting in the cybersecurity signal a second event which does not correspond to any potential intent; and initiating a remediation action in the computing environment based on the detected second event.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method for detecting code intent of code objects in a computing environment for assessing cybersecurity risk, comprising:
 detecting, based on inspection of an inspectable disk, a plurality of code objects in a computing environment;   statically analyzing each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action;   generating a cybersecurity signal in the computing environment based on a plurality of event records;   detecting in the cybersecurity signal a first event corresponding to a potential code intent;   determining that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent;   detecting in the cybersecurity signal a second event which does not correspond to any potential code intent; and   initiating a remediation action in the computing environment based on the detected second event.   
     
     
         2 . The method of  claim 1 , further comprising:
 detecting the plurality of code objects in a code repository of the computing environment, wherein the code repository is configured to store a plurality of versions of each code object.   
     
     
         3 . The method of  claim 1 , further comprising:
 generating a call graph based on the static analysis of each code object of the plurality of code objects.   
     
     
         4 . The method of  claim 1 , further comprising:
 receiving an event from a runtime sensor, the runtime sensor deployed on a resource and configured to detect runtime event data on the resource; and   generating the cybersecurity signal based on the received event.   
     
     
         5 . The method of  claim 1 , further comprising:
 detecting an event in a log of the computing environment; and   generating the cybersecurity signal based on the detected event.   
     
     
         6 . The method of  claim 5 , wherein the log is any one of: a cloud log, a network log, an event log, a runtime execution log, or any combination thereof. 
     
     
         7 . The method of  claim 1 , further comprising:
 detecting a resource in the computing environment, wherein the resource utilizes an application, the application based on a code object of the plurality of code objects;   determining that the second event is associated with the application based on an identifier of the application in a record of the second event; and   determining that the second event does not correspond to any potential code intent associated with the code object of the application.   
     
     
         8 . The method of  claim 7 , further comprising:
 initiating the remediation action based on the application.   
     
     
         9 . The method of  claim 8 , further comprising:
 initiating the remediation action on the resource.   
     
     
         10 . A non-transitory computer-readable medium storing a set of instructions for detecting code intent of code objects in a computing environment for assessing cybersecurity risk, the set of instructions comprising:
 one or more instructions that, when executed by one or more processing circuitries of a device, cause the device to:
 detect based on inspection of an inspectable disk, a plurality of code objects in a computing environment; 
 statically analyze each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action; 
 generate a cybersecurity signal in the computing environment based on a plurality of event records; 
 detect in the cybersecurity signal a first event corresponding to a potential code intent; 
 determine that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent; 
 detect in the cybersecurity signal a second event which does not correspond to any potential code intent; and 
 initiate a remediation action in the computing environment based on the detected second event. 
   
     
     
         11 . A system for detecting code intent of code objects in a computing environment for assessing cybersecurity risk comprising:
 one or more processing circuitries configured to:   detect, based on inspection of an inspectable disk, a plurality of code objects in a computing environment;   statically analyze each code object of the plurality of code objects to determine a plurality of potential code intents, each potential code intent corresponding to an action;   generate a cybersecurity signal in the computing environment based on a plurality of event records;   detect in the cybersecurity signal a first event corresponding to a potential code intent;   determine that the potential code intent is a code intent based on the detection of the first event corresponding to a potential code intent;   detect in the cybersecurity signal a second event which does not correspond to any potential code intent; and   initiate a remediation action in the computing environment based on the detected second event.   
     
     
         12 . The system of  claim 11 , wherein the one or more processing circuitries are further configured to:
 detect the plurality of code objects in a code repository of the computing environment, wherein the code repository is configured to store a plurality of versions of each code object.   
     
     
         13 . The system of  claim 11 , wherein the one or more processing circuitries are further configured to:
 generate a call graph based on the static analysis of each code object of the plurality of code objects.   
     
     
         14 . The system of  claim 11 , wherein the one or more processing circuitries are further configured to:
 receive an event from a runtime sensor, the runtime sensor deployed on a resource and configured to detect runtime event data on the resource; and   generate the cybersecurity signal based on the received event.   
     
     
         15 . The system of  claim 11 , wherein the one or more processing circuitries are further configured to:
 detect an event in a log of the computing environment; and   generate the cybersecurity signal based on the detected event.   
     
     
         16 . The system of  claim 15 , wherein the log is any one of:
 a cloud log, a network log, an event log, a runtime execution log, or any combination thereof.   
     
     
         17 . The system of  claim 11 , wherein the one or more processing circuitries are further configured to:
 detect a resource in the computing environment, wherein the resource utilizes an application, the application based on a code object of the plurality of code objects;   determine that the second event is associated with the application based on an identifier of the application in a record of the second event; and   determine that the second event does not correspond to any potential code intent associated with the code object of the application.   
     
     
         18 . The system of  claim 17 , wherein the one or more processing circuitries are further configured to:
 initiate the remediation action based on the application.   
     
     
         19 . The system of  claim 18 , wherein the one or more processing circuitries are further configured to:
 initiate the remediation action on the resource.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.